Fast Password Cracking with a Huge Dictionary File and oclHashcat-Plus

We rely on passwords to secure our home systems, business servers and to protect our online information. But as cracking programs improve and video cards get faster (Video GPU’s are used for cracking) passwords are becoming much easier to crack.

How big of a problem is this?

I was able to take a publicly released password hash dump file and crack 86% of it…

In 30 minutes…

In this article we will take a look at how fast passwords could be recovered from password hashes when a gigantic dictionary file is used combined with a super fast Video Card GPU based cracking program.

In the test we will be using oclHashcat-Plus, CrackStation’s massive 15 Gigabyte password file and an unnamed password hash file that was publicly dumped. The computer used was a Windows 7 system with a Core I-5 750 running at 2.67 Ghz and a single AMD Radeon 7870 video card.

CrackStation’s dictionary file is very impressive, according to their website it contains:

“… every wordlist, dictionary, and password database leak that I could find on the internet (and I spent a LOT of time looking). It also contains every word in the Wikipedia databases (pages-articles, retrieved 2010, all languages) as well as lots of books from Project Gutenberg. It also includes the passwords from some low-profile database breaches that were being sold in the underground years ago.”

I used a fairly recently released password hash file that contained over 7,000 user hashes. I chose this one due to the size. Yes much larger ones are out there, but I thought the size corresponded more realistically to an average company that a pentester or incident response team would be dealing with. Besides, how many American businesses have a million or more employees?

Okay, first up, as a baseline let’s run the hash dump against the ever popular dictionary file RockYou:

Straight Crack with Rock You Wordlist

At a speed of 9567.3k/s it took a whopping 12 seconds and was able to recover 46% of the hashes. Pretty impressive.

Okay, let’s start over and try the CrackStation word list:

Straight Crack Command

And the results:

Straight Crack Stats

At a speed of 20430.3k/s it was able to recover about 66% of the hashes in 13 minutes.

That is amazing, but what if we try running oclHashcat-plus using rules? Rules are somewhat like a programming language for password crackers. It allows you to do different things with each word in the dictionary file like invert it, double it, insert random special characters or numbers, or even transform the word into “1337 speak”.

This creates a very power capability of cracking many people’s habits of trying to disguise their password.

First up, we will use one of the standard rules, Best64:

Straight crack with base64 rule

And the results:

Straight crack with base64 rule stats

Wow, it recovered 78% of the hashes in only 5 minutes!

Alright let’s try one of the larger rule files which includes a lot more word combinations. How about passwordspro?

Straight crack with passwordpro rule command

and the results:

Straight crack with passwordpro rule

About 86% of the passwords recovered in just over 30 minutes!

There are several other rule files I could use, and I could use more involved techniques like hybrid masks and multiple dictionary files, but with using only this single dictionary file and a standard rules file I was able to recover the majority of the passwords in only 30 minutes.

The purpose of this exercise was not in showing how to crack passwords, but showing how insecure passwords can be. Simply adding a “salt” to the password hashes (a random number added to the password hash) would make each hash unique and make it significantly harder to crack.

Implementing a policy requiring your users to use long complex passwords would also help, or better yet implement multi-factor authentication for your systems.

Also it is best to use a different password for every account you have, especially important online accounts that include personal information. That way if a password if compromised the hacker will not have access to every one of your accounts.